Breach Notification Rule – HITECH (HIPAA Part 2)

The Health Information Technology for Economic and Clinical Health Act, known as the HITECH Act, was enacted as part of the American Recovery and Reinvestment Act of 2009, signed by President Barack Obama on February 17 of last year. HITECH Act amends the federal HIPAA’s privacy and security rules.

Effective February 2010, several of the provisions of HITECH become active including:

Breach notification.

Access to patient records.

Restrictions on the use and disclosure of protected health information.

Although HITECH went into effect on September 23, 2009, the U.S. Department of Health and Human Services stated that it would not impose sanctions for failure to comply with the new rules until February 2010.

Required provisions for HITECH compliance are:

Breach notification: The HITECH Act require providers to notify affected individuals of any data breach promptly. If the data breach affects more than 500 people, the media should be notified including the affected people. In addition, if the breach affects more than 500 people the Health and Human Services must be notified. Breach affecting less than 500 people must be reported to the secretary of Health and Human Services on an annual basis.

Access to electronic health records: The HITECH Act now requires covered entities to provide individuals with electronic copies of their electronic protected health information. Individuals can now also designate another person or entity to be the recipient of the electronic protected health information.

Prepare a summary of the records as an alternative to providing copies or allowing inspection.

Restrictions on disclosure of protected health information: The HIPAA privacy rule currently provides individuals with a right to request a restriction on the use or disclosure or protected health information for purposes of treatment, payment, or health care operations purposes. Until now, providers had no obligation to agree to that request. However, effective February 2010, if a patient has paid out-of-pocket for services rendered and requested that the provider not send their health information (or portions thereof) to their insurance plan, the provider must comply with this request.